Difference between revisions of "Diags (iBoot command)"

From The iPhone Wiki
Jump to: navigation, search
(Exploit)
Line 5: Line 5:
   
 
==Exploit==
 
==Exploit==
This is a very simple exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the s5l using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen or serial or USB).
+
This is a very simple exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the S5L using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen or serial or USB).
   
In 2.0 iBoots, they check the permission register for this command, so the exploit doesn't work.
+
In 2.0 iBoots, they have a flag check on this command (checks bit 4 of the iBoot flags), and that flag will not be present on a retail device, just an engineering one with a 'whitelisted' CHIPID, so this exploit doesn't work.
   
 
[[Category:Jailbreaks]]
 
[[Category:Jailbreaks]]

Revision as of 11:34, 11 December 2008

This was an exploit in pre 2.0 versions of iBoot

Credit

The dev team

Exploit

This is a very simple exploit. In earlier iBoots, if a parameter was given to the 'diags' command, then it would jump to whatever address argv[1] specified, but not before disabling the GPIO devices. You can run unsigned code on the S5L using this, but the GPIOs need to be restored if you intend to use any I/O again (such as the screen or serial or USB).

In 2.0 iBoots, they have a flag check on this command (checks bit 4 of the iBoot flags), and that flag will not be present on a retail device, just an engineering one with a 'whitelisted' CHIPID, so this exploit doesn't work.